- UNbound DNS服务器简介:
RHEL7.x自带了Bind和Unbound两种DNS服务包,Unbound是红帽公司推荐使用的DNS服务器。目前,虽然Bind在全球拥有最多的用户,但这个老牌产品是针对简单网络设计的,随着网络的迅速发展,Bind系统已经越来越不适应在如今复杂的大规模网络环境下提供DNS服务了。Unbound是FreeBSD(类Unix)操作系统下的默认DNS服务器软件,它是一个功能强大、安全性高、跨平台(类Unix、Linux、Windows)、易于配置,以及支持验证、递归(转发)、缓存等功能的DNS服务软件 - unbound dns服务器配置:
(前提是光盘已挂载,yum源已配置,防火墙关闭,selinux为警告模式)
- 检查是否已经安装软件包
[root@llh ~]# rpm -qa unbound* //检查安装包
unbound-libs-1.4.20-26.el7.x86_64
[root@llh ~]# yum list | grep ^unbound //
unbound-libs.x86_64 1.4.20-26.el7 @anaconda/7.2
unbound.x86_64 1.4.20-26.el7 base //主安装包
unbound-libs.i686 1.4.20-26.el7 base
- 安装软件包:
[root@llh ~]# yum install unbound -y
[root@llh ~]# rpm -qc unbound //查看相关配置文件及目录
/etc/sysconfig/unbound
/etc/unbound/conf.d/example.com.conf
/etc/unbound/keys.d/example.com.key
/etc/unbound/local.d/block-example.com.conf
/etc/unbound/unbound.conf //主(全局)配置文件
- 配置主配置文件
[root@llh ~]# vim /etc/unbound/unbound.conf
38 interface: 192.168.154.140 //设置监听的网络接口(默认监听localhost网络接口)
176 access-control: 192.168.154.0/24 allow //允许allow或拒绝refuse给哪些地址提供解析服务
211 username: "" //改成空字符串,表示任何用户均可访问
372 domain-insecure: "haha.edu" //跳过验证域“haha.edu”,以避免信任链验证失败
- 配置区域文件----正向解析记录和反向解析记录
[root@llh ~]# cd /etc/unbound/local.d/ //模板所在目录
[root@llh local.d]# ll
total 4
-rw-rw-r--. 1 root unbound 359 Sep 22 2015 block-example.com.conf //模板
复制模板进行配置:
[root@llh local.d]# cp -p block-example.com.conf haha.edu.conf //正反向解析文件名结尾一定为.conf
[root@llh local.d]# vim haha.edu.conf
11 # 正向解析
12 local-data: "haha.edu. 86400 IN SOA ns1.haha.edu. root.haha.edu 1 1D 1H 1W 1H"
13 local-data: "ns1.haha.edu. IN A 192.168.154.140"
14 local-data: "ns2.haha.edu. IN A 192.168.154.11"
15 local-data: "www.haha.edu. IN A 192.168.154.12"
16 local-data: "web.haha.edu. IN CNAME www.haha.edu."
17 local-data: "mail.haha.edu. IN A 192.168.154.140"
18 local-data: "haha.edu. IN MX 5 mail.haha.edu."
19 #反向解析
20 local-data-ptr: "192.168.154.140 ns1.haha.edu"
21 local-data-ptr: "192.168.154.11 ns2.haha.edu"
22 local-data-ptr: "192.168.154.12 www.haha.edu"
23 local-data-ptr: "192.168.154.12 web.haha.edu"
24 local-data-ptr: "192.168.154.140 mail.haha.edu"
也可以直接在主配置文件中进行配置,以下给出参考模板:
[root@dns1~]# vim /etc/unbound/unbound.conf
local-zone: "haha.edu." static //455行:设置解析的区域名
//添加以下7行local-data,以定义正向解析记录
local-data: "haha.edu. 86400 IN SOA ns1.haha.edu. root.haha.edu 1 1D 1H 1W 1H"
local-data: "ns1.haha.edu. IN A 192.168.154.140"
local-data: "ns2.haha.edu. IN A 192.168.154.11"
local-data: "www.haha.edu. IN A 192.168.154.12"
local-data: "web.haha.edu. IN CNAME www.haha.edu."
local-data: "mail.haha.edu. IN A 192.168.154.140"
local-data: "haha.edu. IN MX 5 mail.haha.edu."
//添加以下5行local-data-ptr,以定义反向解析记录
local-data-ptr: "192.168.154.140 ns1.haha.edu"
local-data-ptr: "192.168.154.11 ns2.haha.edu"
local-data-ptr: "192.168.154.12 www.haha.edu"
local-data-ptr: "192.168.154.12 web.haha.edu"
local-data-ptr: "192.168.154.140 mail.haha.edu"
- 语法测试并重启:
[root@llh local.d]# unbound-checkconf
/etc/unbound/unbound_server.key: No such file or directory
[1584074279] unbound-checkconf[5445:0] fatal error: server-key-file: "/etc/unbound/unbound_server.key" does not exist //发现报错,显示该文件不存在
报错处理: 对报错中的文件进行注释:
[root@llh ~]# vim /etc/unbound/unbound.conf
499 #control-enable: yes
510 #server-key-file: "/etc/unbound/unbound_server.key"
513 #server-cert-file: "/etc/unbound/unbound_server.pem"
516 #control-key-file: "/etc/unbound/unbound_control.key"
519 #control-cert-file: "/etc/unbound/unbound_control.pem"
再次测试:
[root@llh local.d]# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf //显示配置文件没有错误即配置成功
重启:
[root@llh local.d]# systemctl start unbound //启用无报错
- 测试:
[root@llh local.d]# nslookup
> server 192.168.154.140 //指定dns服务地址
Default server: 192.168.154.140
Address: 192.168.154.140#53
> www.haha.edu
Server: 192.168.154.140
Address: 192.168.154.140#53
Name: www.haha.edu
> set type=cname //别名测试
> web.haha.edu
Server: 192.168.154.140
Address: 192.168.154.140#53
web.haha.edu canonical name = www.haha.edu.
> set type=mx //邮件测试需指定type
> haha.edu
Server: 192.168.154.140
Address: 192.168.154.140#53
haha.edu mail exchanger = 5 mail.haha.edu.
> 192.168.154.12 //反向测试
Server: 192.168.154.140
Address: 192.168.154.140#53
12.154.168.192.in-addr.arpa name = www.haha.edu.
12.154.168.192.in-addr.arpa name = web.haha.edu.
> 192.168.154.140 //反向测试
Server: 192.168.154.140
Address: 192.168.154.140#53
140.154.168.192.in-addr.arpa name = ns1.haha.edu.
140.154.168.192.in-addr.arpa name = mail.haha.edu.
> exit //退出
或者用host测试:
[root@llh local.d]# host -t mx haha.edu 192.168.154.140
Using domain server:
Name: 192.168.154.140
Address: 192.168.154.140#53
Aliases:
haha.edu mail is handled by 5 mail.haha.edu.
也可以像bind dns一样配置永久测试文件:
[root@client ~]# vim /etc/resolv.conf
nameserver 192.168.154.140